- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-02-2012 12:20 AM
According to https://live.paloaltonetworks.com/docs/DOC-2835 the (current) certified formats for use with CEF is:
Traffic
CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno
Threat
CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action msg=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype
Config
CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno
System
CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $eventid|$type $eventid|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$fmt externalId=$seqno
HIP Match
CEF:0|Palo Alto Networks|PAN-OS|4.1.0|$subtype $hip|$type $hiptype|1|rt=$cef-formatted-receive_time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno
A drawback with the above is that the software version field is hardcoded into 4.1.0. Which means that each time the PANOS is updated the technician must update the CEF strings (which will most likely fail once in a while).
Is there a reason for why there is no $version available or is it possible that such can show up if I file this as a feature request towards my sales engineer (or did I just miss which variable to use)?
10-02-2012 01:54 PM
Currently there is no variable for the Pan-OS version and hard coding is the only way. There is a feature request open for this. Please check with your Sales so that this gets implemented in the future.
Thanks,
Sandeep T
10-02-2012 01:54 PM
Currently there is no variable for the Pan-OS version and hard coding is the only way. There is a feature request open for this. Please check with your Sales so that this gets implemented in the future.
Thanks,
Sandeep T
08-12-2013 03:51 AM
Hi
Is there any non-CEF format standard in making the Palo Alto firewalls (version 4.1.x) to successfully communticate with the HP Arcsight servers:
Currently we are trying the following but getting inconsistent results per firewall.
Grateful if you can advise please.
Traffic
1,$receive_time,$serial,$type,$subtype,1,$receive_time,$src,$dst,$natsrc,$natdst,$rule,$srcuser,$
dstuser,$app,$vsys,$from,$to,$inbound_if,$outbound_if,$logset,$receive_time,$sessionid,$repeat
cnt,$sport,$dport,$natsport,$natdport,$flags,$proto,$action,$bytes,$bytes,0,$pkts_sent,$receive_
time,$elapsed,$category,0,$seqno,$actionflags,$srcloc,0,$pkts_received,$pkts_sent,traffic:$action
:$risk-of-app,$bytes_sent,$bytes_received
The traffic information to the Arcsight server comes as unclassified and the device name is missing.
I look forward to hearing from you shortly.
Many thanks
Mandip M
08-13-2013 03:22 AM
I guess using CEF is the way to go if you want logs from your PA into your ArcSight.
You could of course create some flexconnector parser (I think its called) but you would need to do this manually and I dont know how this would handle any whitespace characters (not to mention that you need to verify this for each major version of PA).
But sure using a more "raw" format of the logging would save quote a few bytes compared to the CEF format. With CEF you have an estimated overhead of 604 bytes per logmessage which is then thrown away by the logcollector. That is approx 48.32Mbit/s of unecessary stuff on the network link at a rate of 10.000 msgs/sec.
Would be nice if PA could create an official parser lib for the flexconnector (or whatever its called) which is then maintained and tested for various major versions.
09-05-2013 01:25 PM
Anyone who knows of any status regarding panos_version variable for custom syslog formats aswell as status for non-CEF formats to send data from PA to an Arcsight installation (that is avoiding the CEF overhead)?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!